Login Hell

This is crazy, why is it so hard to keep website users inside the website?

Try this plugin: https://wordpress.org/plugins/remove-dashboard-access-for-non-admins/

[wp-login.php] is a known security flaw because its consistent on all WP sites unless someone changes the code or uses a plugin.

I wouldn’t call it a security flaw. If wp-login.php is a security flaw, then so is https://accounts.google.com/ServiceLogin and https://twitter.com/login and https://www.facebook.com/login

Security comes down to the quality of your password, and perhaps an added 2-factor-authentication or any other security plugin.

Is there a simple, non technical, non over bloated plugin solution?

First, add this to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Replace “example.com” with your domain, and if you aren’t using Jetpack Comments, remove “|jetpack.wordpress.com”.

This will prevent bots from directly attacking wp-login.php and wp-comments-post.php, they will need to go through the forms to login or leave comments.

After that, install a plugin like http://wordpress.org/plugins/bruteprotect/ to catch anything else that makes it through.

I am trying to find a way for people to login to my websites using Facebook and Twitter but the plugins I have found so far seem to be dependent on 3rd parties or poorly supported.

Have you tried https://wordpress.org/plugins/facebook/ ?

I believe those are the URLs for user logins, not administrators. I doubt Mark Zuckerberg goes to that address to login to the back end of Facebook. WP uses one login page for both front and back, or at least it looks that way.

Surprisingly ….

Google at least that’s how you get in to admin the services. Not the serVER, but then again, I have to SSH in for that. But to use and admin WP? Or google apps mail? Yep, same login.

Using WordFence instead of that htaccess code James suggested is the epitome of what you said you didn’t want to do. Large, bloated, plugin (nothing against WordFence, it’s just huge), vs a quick and simple fix.

There are plugins like LoginRadius which I hear can do what you want, but you’re really going to have to experiment to find the one you want. :/

The code takes anyone directly accessing the login and comment posting files (without accessing them through the website, in other words something no human in a browser will never do) and simply just redirects them back to themselves, so they can’t even attempt to log in or post a comment.

More details at http://halfelf.org/2013/wp-login-protection-htaccess/

Just add it to your .htaccess file, don’t overwrite anything.